9 out of 10 security leaders state that control failures are the primary reason for data breaches
November 29, 2022
Senior cybersecurity professionals reveal their number one frustration is the inability to continuously measure enterprise-wide security posture and identify control failures.
November 29, 2022, London and New York – Panaseer, a leader in security posture management using Continuous Controls Monitoring, today released the third edition of its Security Leaders Peer Report looking at the concerns and constraints currently faced by CISOs and other senior cybersecurity leaders across the US and UK.
The survey of over 800 respondents from large organisations conducted by Censuswide found that almost 9 in 10 security leaders see the failure of controls expected to be in place as the primary reason for data breaches, and 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring – and security leaders are becoming increasingly frustrated.
For the first time, the 2023 report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70% frustrated). Incidents that should have been stopped by an expected control followed closely, with 68% exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.
Each year, the report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59% of their time on these tasks – a 9% increase on the previous year’s research, and a 64% rise from the first survey in 2019. In fact, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.
As explained by Andreas Wuchner, Field CISO at Panaseer, “To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritise the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads.”
In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organisations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.
However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it’s not uncommon for organisations to use more than 75 or even 100 security tools.
Fortunately, awareness of how these control failures can be addressed is growing. 88% of security leaders stated they are likely to implement a Continuous Controls Monitoring (CCM) platform in the next two years, a solution critical to measuring and advising on security control effectiveness. That compares to 79% who said the same in 2022.
“Unfortunately, the majority of breaches we see occur because of a preventable security control failure,” says Jim Doggett, CISO at Semperis. “By going back to basics, reducing complexity and truly knowing their security stack – the tools they have and their utilisation – security leaders can achieve an end-to-end view of their organisations’ security posture. And increasingly, they are converging on CCM to provide the single source of truth they need to do so.”
Other key findings from the report point towards a lack of confidence in what to measure to improve security posture. These include:
- Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently
- Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organisational size and industry
- Of the remainder, 47% simply don’t know the right metrics to monitor and 51% don’t have the resources to help them do it
To find out more, read the full Security Leaders Peer Report here.